Immune app, made the specifications public. Here’s how it works

WAITING for the update of the operating system by Apple and Google, which will allow the Immuni app to communicate via bluetooth with other devices without hitches, the official technical contact tracing specifications certified by the Ministry of Health have been released to contain the spread of the Covid-19 pandemic. The Github document drawn up by Luca Ferrari, one of the founders of the Bending Spoons development company, confirming what in reality was already known in broad terms of the app expected by the end of the month.


Immune. What is it, what is it for and who is behind the app for tracking coming in late May

“Very interesting. The documentation is still incomplete, they should release the rest later, but the” open “approach is positive,” he comments Marco Ramilli, founder of Yoroi, a Bolognese company specialized in computer security. “They want to put the community of programmers in a position to compile the project with open source tools so that there are no disparities. They also admit that for Apple devices it is a little more difficult because of the structure that must undergo some features.”

The first access

Upon first access, the Immuni app will ask the user – who must be over 14 years old – to specify the province in which he / she is located, a data useful to the health authorities “to show relevant information at local level to the user if a contact to risk is notified. ” Therefore, consent will be requested for the processing of sensitive data in compliance with the Gdpr, the European privacy regulation. No data will be shared with third parties, except in aggregate, anonymous and for research purposes.


Coronavirus, MIT report cards: top tracking app in Northern Europe

Geolocation and notifications

As for the operation, which however requires the authorization of the second user, it is automatic in the sense that no action is required. But there is a substantial difference between Google’s Android-based devices and Apple’s iOS-based ones. For the former, geolocation activation (essential to make it work) will be required, even if Google has ensured that the related information will not be acquired. During the installation, in fact, the app will not request authorization to access GPS data. While Apple will ask for authorization only to send exposure notifications (already active on for Android).

Bluetooth and the temporary code

The system, based on bluetooth low energy (low energy consumption), means that if two devices meet at close range they exchange one temporary exposure key, i.e. a temporary encrypted numeric code that will be exchanged anonymously, that is, it will not be possible to trace the identity of the people. This code will be stored on the device, as usual in the “decentralized method” adopted in Italy, and stored for up to 14 days before being eliminated. The device will record meetings of a minimum duration of five minutes and up to a maximum of half an hour on the respective smartphones. In addition, “Immuni will have no way of determining whether multiple exposures occurred over several days between the same phones,” explains the document, thus ruling out the possible reconstruction of frequent dating between the two people.


Coronavirus, Apple-Google: 5 minutes of exposure to trigger the contagion alert

The risk warning

The user who came into contact with a person then tested positive at Covid-19, will receive a risk notification as well as a degree of alert according to the parameters established by the health authorities, on which various preventive countermeasures may depend which will be indicated.

In the event that a person is positive for the Covid-19 test, he can voluntarily report it anonymously in a special section, protected by a unique password to be used only once. At that point all the other smartphones that have come into contact in the past few days with those who have been infected will receive the notification. All steps, including final validation, require the user’s consent.

Every day the app will connect with the central database to compare and update the information regarding the positives: by cross-checking this data it will be possible to trace the contacts by assessing the risk index.

The security

As anticipated by the document published on Thursday, other reports will also be shared in the future that will go into the merits of the security aspect, with the detail “penetration test” that Immuni will have to face before being distributed. The data will be stored on public servers, managed by Sogei, the IT company controlled by the Ministry of Economy and Finance (and involved in the project with Pagopa, the public spa of digital payments which has the role of technological coordination). A further measure prepared by the developers will be the one that will see the production of the so-called “dummy traffic”, ie a transmission of junk data generated by the devices in order to pollute the signal and prevent any third parties from acquiring information through a traffic analysis same.

“They remained available for collaborations with cybersecurity experts for application tests,” concludes Ramilli. “In short, they started a first positive documentary phase”. We will see as soon as finished what will happen next.

# subscription-message {background-color: # f1f1f1; padding: 48px 16px; display: block; margin: 32px 0 16px; border-top: 2px solid # f3bb02; border-bottom: 2px solid # f3bb02; position: relative;} # subscription-message p {font-family: georgia; font-style: italic; font-size: 24px; line-height: 30px; color: # 3c3c3c; margin-bottom: 8px;} .subscription-message_author {font-family: side; text-transform: uppercase; font-size: 14px; text-align: right; display: block; margin-bottom: 32px; margin-right: 16px; font-weight: bold;} # subscription-message a {display: block; width: 210px; padding: 8px; color: #fff; border-bottom: none; background-color: # e84142; text-align: center; margin: 0 auto; border-radius: 3px; font-family: side, sans-serif; font-size: 17px; line-height: 24px; -webkit-box-shadow: 0px 0px 20px 0px rgba (0,0,0,0.6); – moz-box-shadow: 0px 0px 20px 0px rgba (0,0,0,0.6); box-shadow: 0px 0px 20px 0px rgba (0,0,0,0.6);} # subscription-message to: hover {background-color: # db1b1c; border-bottom: none; -webkit-box-shadow: 0px 0px 0px 0px rgba (0,0,0,0.6); -moz-box-shadow: 0px 0px 0px 0px rgba (0,0,0,0.6); box-shadow: 0px 0px 0px 0px rgba (0,0,0,0.6);}

We are not a party, we do not seek consensus, we do not receive public funding, but we are standing thanks to the readers who buy us on newsstands every morning, look at our site or subscribe to Rep :.
If you are interested in continuing to listen to another bell, perhaps imperfect and some days irritating, continue to do it with conviction.

Mario Calabresi
Support journalism
Subscribe to Repubblica



contact tracing
computer security


Leave a Comment